some indie thoughts on management, leadership, strategy and execution of software development

Tag Archives: Risk

Risk-seeking behavior has been stereotyped and templated over the years. We routinely associate rash and optimistic planning, aggressive schedules, seeking new gold, banking on unproven technology, and building for newer markets as some of the risk-taking behaviors. Unfortunately, we automatically assume that things that are non-risky are safe. But are they?

Risk is measured as a potential (and most often negative) impact on a project’s deadlines, cost or quality of its outcome due to uncertainty around a future event. To that end, we think buying a new house with a 20-year loan is a risk because we can’t predict and plan for what all could happen in next 20 years. Similarly, planning a multi-year project is a risk because so much can happen that impacts a project in those several years – technology gets obsolete, requirements change, key stakeholders move out and the new ones have a different expectation from the product, users figure out better ways to organize their needs, etc.

All this makes sense. However, somewhere our thinking has gone wrong from here. The opposite is risk is not safe – in fact, it is also risk. Let’s take some examples:

Leaving a job or starting out on your own might be risky – you might land in similar or even worse situations, or take forever to prove yourself in a new company, new culture, new people, new way of working, or your startup might just crashland after a few months. However, staying back in the job might also be risky – you might not learn and grow, or could get laid-off, or your company might go out of business!

Using a new unproven technology could be risky – you might be addressing a lot of first-time issues, or deal with more than a fair share of unknowns and uncertainties. However, sticking on to old technology could mean lesser opportunities for innovation, limitations on scalability and performance and eventually being the long-tail customer for some stone-age technology with no customer support, no upgrades and unavailable parts.

Creating a new drug in pharmaceutical sector is a typical risk of $600-800m over a period of multiple years. After all that investment, which essentially is a ‘sunk cost’, there is every risk of just writing-off entire hard work, effort and money, and start afresh. But, by choosing to not undertake that route, you might miss the opportunity to create a worldwide patent to produce, own and market that drug, not to mention, the lost opportunity to serve the mankind better.

If you promote people from within, you run the risk of making an old guard lead the change brigade – chances are that the old guard might not personally prefer that change, or is very comfortable with it. However, if you bring an outsider, he might lack the initial political or social capital to get everyone together on a page and lead such ambitious change.

When I read message boards on entrepreneurship, I find an almost universal contempt for people who are not entrepreneurs. The general thought is that this set of folks is too risk-averse. And then I think about folks who are investing their blood, sweat and tears into their jobs and pushing against organizational inertia to bring out changes that are just as challenging and sexy as what entrepreneurs outside those organizations are pursuing. Who says it is easy to pursue such innovative ideas in a large organization?

In fact, Peltzman Effect is a great way to explain how derisking something in fact creates a completely unintended effect by encouraging people to indulge in a behavior that again raises the risk, thus effectively nullifying the very intent to reduce risk in the first place.

So, I have come to believe that our thought process around what constitutes risk and what is considered as safe is essentially flawed. There is an inherent risk in every endeavor – and opposite of that is not safe. Opposite of that is just another type, shape and form of risk, and requires just as much, if not more, systematic analysis.

How do you decide what tasks to schedule first: the complex ones or the easy ones? the short ones or the long ones? the risky ones or the sure-shot ones? Most often, this task sequence is determined by hard logic, soft logic, or some other external constraints. However, how do you decide when there are no such contraints?

If we look at the risk driving the project lifecycle and scheduling, then it is natural to expect high-risk tasks being tackled at the start just so that we are systematically driving down risks in the project and achieve higher certainty levels as we get close to the project. However, it seems inconceivable that someone will cherry-pick the easy tasks first and leave all high-risk ones for the end! Clearly, that is setting up the project for a grand finale of all sorts!

Could complexity be a good measure then? What will happen if we take high complex tasks first? Surely, that will lead to tackling some of the most difficult problems first, and there might also be a high level of correlation between complexity and risk. So, taking this approach is also likely to significantly lower a project risks. However, not all tasks are created equal. It is likely that high-risk tasks not the longest, so while the project makes appreciable gains in lowering the risk, but doesn’t make a whole lot of progress.

Agile approaches, Scrum in particular, rely on driving the tasks that make biggest sense to the customer – tasks that deliver maximum value to the customer. However, there is no guarantee that this will help lower the project risks, or manage the schedule better. Similarly, Kanban helps manage tasks but doesn’t really spell out how they should be scheduled.

3. Avoid the curse of the “final push.” Scope and sequence a project so that each part is shorter than the one that precedes it. Feeling the work units shrink as you go gives you a tangible sense of progress and speeds you toward the end. When you leave the long parts for last, you’re more likely to get worn out before you finish. Besides, if you’re “dead at the deadline,” those other projects you’re juggling will stagnate.

This seems like a very practical suggestion – often the tendancy is to ‘cherry pick’ while scheduling the tasks – we tend to pick up tasks that are favorite to people, or appear to be easier to take up. However, very often, we end up taking more time, and project gets delayed. If the tasks are scheduled such that big/complex tasks are scheduled first, that might mitigate lot of risk pertaining to last-minute issues (could be due to underestimation, or integration issues, etc.). However, I am not 100% sure that purely scheduling tasks on “longest-task first” basis is the best policy to lower risks in a project. Shouldn’t we be using a combination of top-risk items that are longest?

I haven’t used this approach yet, but seems like something to try. How about you – what’s your favorite way to schedule tasks?

Risk is generally assumed to have negative impact. However, a ‘risk’ can also have a positive impact. PMBOK 4/e talks of positive risks and calls them ‘opportunities’. Given that most project managers only have a passing knowledge of managing risks proactively (our industry still seems to reward crisis management notwithstanding the fact that most often people who fix a crisis were responsible for it in the first place!), it is extremely likely that most such opportunities are wasted.

A risk is just a future event with probability of occurance between 0% and 100%. If such probability is 100%, surely that is a certainty, and hence can be put on the plan. If it is 0%, again it is a certainty and hence you can plan accordingly. Risks are also known as ‘known unknowns’ because we know about those events – just that we don’t know what it exact outcome will be. So, it quite likely that the outcome could be positive, and need not always be negative. Sample the following examples of events that could have a positive impact:

You have made an offer to a manager whose company is fast running out of cash. The grapevine has it that they might not get any funding, and have just weeks before they fold up. If that happens, there is a strong likelihood that the manager whom you have made an offer will join you. Even though this is a negative event par se for that company, but for you, that is a positive event.

Your competitor initially undercut his prices and won the bid, but now he is in the danger of being disqualified on technical grounds. His loss means business for you, and hence that is a positive risk.

You offer “no-questions asked product replacement warranty” within 60 days of purchase. You allocate 5% of your your operating margin. Your new product has proved to be a great hit among teenages, and is flying off the shelves, and you expect that cost of product replacement might be within just 2%, thereby improving your overall profit margins on this product.

You need to arrive at airport on-time, and your commute is through the rush hour. You leave home well in-time, but it is tough and go. However, there is a football match that evening, and it is likely that you find the traffic very thin – possibly because most people are glued to their TV sets.

Your new software provides a workflow for managing personal finances. An NGO needs a low-cost software to manage its micro-finance product, but best-matching product is out of their reach. Your product *might* meet most of the requirements, including being in the budget, if only they can tweak their workflow a bit.

You are in construction business, and learn that government is toying with the proposal to reduce duties on cement and steel by 20%.

A major competitor who is also a large employer in the city is likely to announce lay-offs.

Because of an early delivery of an input component, you might be able to shave-off weeks from your delivery schedule.

City administration is likelyÂ to announceÂ construction ofÂ a new Â flyover that will cut down city commute and decongest the downtown.

You are a tour operator and the international travel association is likely to name your region in “Top Ten Places to visit before you die” list.

Surely, these are simple examples, but demonstrate there are always positive risks in pretty much any project. However, we generally ignore them, and hence are not able to capitalize on them (we typically end up using the ‘accept’ strategy without even recognizing there might be other better ways of maximizing those risks or its returns). In addition to identifying positive risks, these four risk response strategies are identified to maximize the risk or impact of such positive risks:

Exploit – this strategy aims to eliminate the uncertainty associated with a particular upside risk by ensuring the opportunity definitely happens. Since this is a positive risk, the outcome is likely to be positive. However, there is an uncertainty to it, so if there is a way to eliminiate such uncertainty and make it a certainty, it ensures that you reap the benefits of such a positive risk. The idea is to virtually guarantee that a given risk becomes a certainty! Let’s consider some examples:

Suppose you are developing a prototype. If your customer likes it, your order book could be full for next few years! You have been diligent so far, and now have the prototype ready a week before delivery date. You are 70% sure that the customer will like your prototype, but instead of deliverying early, you decide to subject the prototype to even more stringent testing and analysis. Ideally, you will want to raise such probability to 100%, but that might not always happen. However, you put all efforts to make such event a certainty.

Another example – you have to make product release next weekend – if that happens, your customer might be able to roll out new services to its customers.Â You pull out some of the best technical folks on other projects and put them on this task to ensure that it happens.

Your biggest customer might be willing to give you 2x, or even 3x business if only you stopped working for his biggest competitor. You take the call to stop working with the competitor and make that event happen.

Share – Sharing a positive risk involves allocating some or all of the ownership of the opportunity to a third party who is best able to capture the opportunity for the benefit of a project. Â Here, the idea is to involves more players who also becomes stakeholders so thatÂ collectively raise the winnings. This strategy might be handy for some types of risks that might have have a positive uncertainty, but chances are that by yourself, you might by constrained in how much you can win. By involving other complementary players, you not only push the envelope, you get others to the game, make the game bigger and help everyone win, thereby also maintaining your own interest.

You are building a cool product that you expect to be a best seller. However, you lack the product design or marketing expertize to fully explout this opportunity. Instead of home-growing those capabilities, you decide to get experts on this project who are fired up with this challenge.

Apple uses this extremely well. By making its iPhone APIs available to larger developer community, it has been able to ensure that there is a dedicated army of developers constantly working to create highly innovate apps. This has resulted in over 100,000 such apps being available on iPhone!

You have developed a new intellectual property that promises to be a revolution. Instead of patenting it, you decide to open-source it to create a major eco-system of other vendors who might get interested to develop tools and apps around that technology thereby pushing the envelope.

Enhance – the idea is to increase the probability or impact of a positive risk. Increasing probability might not make it a certainty, but does improve the chances of the positive event happening. Improving the impact might not be necessarily associated Â with an increase in the probability itself, but might lead to a higher yield should the event happen. Of course, there is also an opportunity to do both of them simultaneously!

Let’s assume there is a cloud cover over a drought-hit region and there is a 20% possibility of rain. What do you do? You can utilize scientific methods like cloud-seeding to improve the possibility of rain to, say, 40%. In this example, you can’t increase the impact, but you are able to increase the possibility of that event.

This strategy is used quite well by retailers, especially in apparels industry. Studies have shown that home labels (or we can just call them the unbranded stuff) has a higher chances of being bought when carefully placed alongside branded apparels than standalone. This simple placement trick increases the chances of customers picking up home labels.

Companies and industry trade association hire lobby firms to influence lawmakers and citizens to look at some important regulation more favorably, thereby maximising chances of its adoption and eventual success.

While pushing for a new idea, sometimes you want to socialize it with a key voice in the organization, or perhaps get some industry references that generally extol benefits of that idea, thereby increasing the chances that your idea gets accepted.

This story illutsrates a great example of how one can both increase the probability and the impact simultaneously. I blooged about it in a different context, but you can read the story Are you helping your competitors succeed?

Accept – Accepting the opportunity is being willing to take advantage of it if it comes along, but not actively pursuing it. When I earlier said most of us ignoreÂ positive risks, we probably work in a passive mode, and pick up those low-hanging fruits. While this might not be a bad idea, in some cases, you might not want to incur the cost of ensuring that a certain risk does happen. So, this is like a zero-cost effort where if the positive risk happens, you are willing to grab it.

For example, you have just started out your consulting venture and are busy doing the legwork for it, and don’t want to take up an assignment for the coming month lest it interferes with your initial preparations. You hear about a business in distress that needs exactly the kind of consulting that you are offering, but decide not to actively pursue it. However, when they call you up, you are willing to take the call.

A competitor is likely to go out of business and you might benefit when that happens, but you don’t want to be seen as a bad rival trying to accelerate his downfall. So, you decide to take it easy and monitor the situation, but when that happens, you gladly step in.

You want to take homeloan. There is a chance that interest rates will come down in the coming quarter. Instead of waiting for that to happen (or, it might not even happen), you decide to take the loan right now. If the interest rates go down, you benefit.

Identifying and exploiting positive risks doesn’t require any special talent, but it does require a systematic effort to spot such opportunities. While negative risks are typically more dangerous and hence it makes great sense to avoid, transfer or mitigate them, positive risks could make a significant difference to your project’s chances of success. As we see in these examples above, many of these opportunities will fly under your radar if not proactively pursued. A holistic risk management strategy should always consider all types of risks and identify appropriate responses.